Windows 2003 CA in W2K Domain

[Guest]

Hi, I am planning a deployment of certificate services for a client
deployment. The client has a Windows 2000 domain but will migrate to 2003 at
some future (unplanned as yet) time. I am wondering at the benefits /
possibilities of deploying Windows 2003 certificate services in this
environment. Is this possible and to what degree the new features can be
utilised? I believe some features will require the forest schema to be
updated to 2003 but would appreciate any thoughts anyone has on the pros and
cons of using a 2003 CA in this environment (there will actually be 2 CAs - a
standalone root and a subordinate issuing Enterprise CA). Any thought /
experiences of pitfalls very welcome.
Thanks.

 

[Brian Komar]

Hi, I am planning a deployment of certificate services for a client
deployment. The client has a Windows 2000 domain but will migrate to 2003 at
some future (unplanned as yet) time. I am wondering at the benefits /
possibilities of deploying Windows 2003 certificate services in this
environment. Is this possible and to what degree the new features can be
utilised? I believe some features will require the forest schema to be
updated to 2003 but would appreciate any thoughts anyone has on the pros and
cons of using a 2003 CA in this environment (there will actually be 2 CAs - a
standalone root and a subordinate issuing Enterprise CA). Any thought /
experiences of pitfalls very welcome.
Thanks.

The key is applying the Windows Server 2003 Schema. Once the schema is
updated, you have access to all benefits of the Windows Server 2003 PKI
(subject to the client OS versions).

You can choose either windows 2000 or windows 2003, standard edition for
the oofline CAs. Be sure to select Windows server 2003, enterprise
edition for the issuing CAs.

I have deployed *several* PKIs in the last two years based on this
configuration with no issues.

Brian

 

[Guest]

Hi Brian,

Thanks for the answer. Have you deployed smartcards before and if so how
did you manage the initial deployment (i.e. migration from usernames to
smartcard login)? We have over a thousand users to move across an I am
interested in what has worked (or not) for you?

Regards,
John

 

[Brian Komar]

Hi Brian,

Thanks for the answer. Have you deployed smartcards before and if so how
did you manage the initial deployment (i.e. migration from usernames to
smartcard login)? We have over a thousand users to move across an I am
interested in what has worked (or not) for you?

John.

I have worked on a few large scale smart card deployments, and they
definitely take a lot of effort.

You have to consider:
- provisioning
- selection of a smart card vendor
- selection of a registration authority (if you do not want to use the
default win2k3 RA - recommended)
- support for applications/servers that do not support smart card auth
(rpc over http, terminal services to win2k, non-domain members)
- What do you do when someone forgets/loses their cards
- what measures do you take to identify the subject of the certificate
before issuing the certificate
- how will you handle initial issuance
- how will you handle renewal

HTH,
Brian

 

[Guest]

Thanks

John.

I have worked on a few large scale smart card deployments, and they
definitely take a lot of effort.

You have to consider:
- provisioning
- selection of a smart card vendor
- selection of a registration authority (if you do not want to use the
default win2k3 RA - recommended)
- support for applications/servers that do not support smart card auth
(rpc over http, terminal services to win2k, non-domain members)
- What do you do when someone forgets/loses their cards
- what measures do you take to identify the subject of the certificate
before issuing the certificate
- how will you handle initial issuance
- how will you handle renewal

HTH,
Brian